Software Risk Manager (SRM) is Black Duck’s Application Security Posture Management platform that aggregates and correlates findings from 150+ security scanning tools.

Formerly known as Code Dx, SRM consolidates security findings from SAST, DAST, IAST, SCA, and manual penetration testing into a single view.

What is Software Risk Manager?

Software Risk Manager correlates vulnerability findings across tools to eliminate duplicates and prioritize remediation efforts.

The platform normalizes results from different scanners, so a SQL injection found by Checkmarx and the same issue found by Fortify appears as one finding with multiple sources.

Originally developed as Code Dx, the technology was acquired by Synopsys in 2022 and became part of Black Duck following Synopsys’ divestiture of its Software Integrity Group in 2024.

Key Features

Multi-Tool Aggregation

Software Risk Manager integrates with 150+ security tools across categories:

Category	Tools
SAST	Checkmarx, Fortify, Coverity, SonarQube
DAST	Burp Suite, OWASP ZAP, Acunetix
SCA	Black Duck, Snyk, Dependency-Check
Secrets	GitLeaks, TruffleHog
Container/Cloud	Trivy, container analysis tools
Mobile	Mobile security scanning tools
Network	Network scanning integration

Vulnerability Correlation

The platform correlates findings across tools:

Tool A: SQL Injection in login.php:42
Tool B: SQL Injection in login.php:42
Tool C: Database Query Issue in login.php

SRM → Single finding with 3 supporting sources

This correlation reduces noise and increases confidence in findings.

Risk-Based Prioritization

Software Risk Manager prioritizes vulnerabilities based on:

Severity and exploitability
Business context and asset criticality
Number of corroborating findings
Historical remediation patterns

SBOM Generation

Generate Software Bill of Materials in standard formats:

CycloneDX
SPDX
Custom formats

Integration

CI/CD and DevOps

Platform	Integration
GitHub	Automated SAST/SCA scanning via GitHub Actions
GitLab	Templates for scans on each build
Bitbucket	Security Scan Pipe integration
Jenkins	Black Duck Jenkins Plugin for automated scanning
Maven/npm	Build tool integration for static analysis

Ticketing

Software Risk Manager tightly integrates with Jira to eliminate duplicate tickets and efficiently assign work to developers.

Jenkins Example

pipeline {
  stages {
    stage('Security Scan') {
      steps {
        srm analysis: 'my-project',
            files: 'scan-results/*.xml'
      }
    }
  }
}

Deployment

Software Risk Manager supports multiple deployment options:

Option	Description
Kubernetes	Deploy via Helm charts (srm-k8s)
Docker Compose	Standalone deployment (srm-docker)
On-premise	Traditional server installation

When to Use Software Risk Manager

Software Risk Manager is ideal for organizations that:

Use multiple security scanning tools
Need centralized vulnerability management
Want to reduce duplicate findings
Require SBOM generation for compliance
Already use Black Duck products (Coverity, Black Duck SCA)

Note: Formerly Code Dx. Synopsys acquired Code Dx in 2022, then divested its security business to Black Duck in 2024.